Not to be antagonistic, but a healthcare CIO in which country? This is very relevant because outside of the US, I think it is probably fair that most people who are most active on HN are from countries with public health care, and stronger consumer protection and privacy laws.
The healthcare outcomes are absolutely critical in evaluating the use and value of these tools, but there are second and third order effects from using the tools that need to be contextualized with the specific motivations of executives endorsing the tools.
There is definitely a closed-source defender advantage where an attacker doesn't have access to the code, binary, or environment that can be instrumented (so basically, running in the cloud), but there have been several very effective technical demonstrations of LLM guided or agentic approaches to assessing the security of closed source tools, and I have had some successes personally using LLMs with tool use to manage binary analysis tools to perform reverse engineering of closed source packages.
For many attack scenarios the boundary is really if you can establish an effective canary or oracle for determining if a change in input results in a change in output, once you have that, it's simply a matter of scaling your testing or attack (for fuzzing, for blind injection, or any other number of attacks that depend on getting signal from a service).
And the following part that is more important is the agent that attempts the fix in code, the agent that tests the fix and reports on perfomance and functional impacts, and the agent the triggers the build and release to production.
Everything up to finding and validating the bug is a huge win in vuln/exploit development, everything after validating the bug is a huge win for defensive security and a massive gap until the tools are generally available :S
If CPU failure was a leading cause of device obsolescence, your argument would make sense. Next, the EU or other regulators should explicitly regulate software mechanisms that prevent owners of a device from installing an alternate OS, enabling open source or aftermarket OS developers to support devices that mainstream vendors no longer want to support.
It's a meaningful difference for SaaS. Most likely an attacker doesn't have access to your running binary let alone source code, and if they probe it like a pentester would it will be noisy and blocked/flagged by your WAF.
Meh. I get the annoyance, but it's a one time cost for a small subset of their users. I would prefer if there was a flow during device setup that allowed you to opt into developer mode (with all the attendant big scary warnings), but it's a pretty reasonable balance for the vast majority of their users. (I suspect the number of scammers that are able to get a victim to buy a whole new device and onboard it is probably very low).
Good point, having a once off advanced option to completely bypass this at device setup would be good.
Also, other commenters have mentioned that adb is unaffected by this which makes it seem like less of a problem, to me at least. Still inconvenient that even if you adb install fdroid you can't install apps directly from it.
Or at least make it a liability on the balance sheet rather than an asset. Sure, you can store as much user data as you want. Oh, what's that, if it leaks you owe each user $10,000 under the new law?
You have conflated the joy of learning with the joy of building. I have been writing code since I was 6 years old and was left to my own devices with the vic-20, the manual, and BASIC instructions.
I have worked as a developer, security engineer, program manager and engineering manager through my career. Writing stuff to understand algorithms or hardware requires engaging with the math, science, and engineering of the software and hardware. Optimizing it or developing a novel algorithm requires deep comprehension.
Writing a service that shuffles a few things around between stuff on my home network so that I can build an automation to turn down the lights when I start playing a movie? Yeah, I could spend a day or two writing and testing it. Having done it a few times, the work of it is a bit of a chore, I'm not learning, just doing something. Using an Claude or some other agent to do that makes it go from 'do I want to spend my time off doing a chore?' to 'I can design this and have it built in an hour'.
Making the jump to using the tools in my day job has been a bitore challenging because as a security engineer I have seen some hairy stuff over the last two years as AI generated stuff wends it's way into production, but the tools and capabilities have expanded massively, and heck, my peers from Mozilla just published some awesome successes working with Anthropic to find new vulns :)
Don't let using tools take away the love of learning, use them to solve a problem and take care of the drudgery of building stuff.
OMG that manual. VIC-20 was my first code experience. I look back and cannot understand how 7 year-old me was patient enough to make a jumping jack guy appear on screen. Joy of Coding? Hell, no. I wanted to see if I could make it work. (I did, and I had no clue how to save to tape)
Sounds like you had one at home? If so, I'm a bit jealous. But also, hello, brother/sister!
Yep, my origin story is more fun, I actually got left at my dad's boss' office and was bored so I found a computer book and started reading it and rebooted the computer and followed the instructions. When they came back I had a very simple program going and after getting into a bit of trouble my dad's boss' laughed it off and told my dad to get me a computer. He did (the vic-20). Several days later my parents turned it off and deleted my program and it took me a while to explain that I needed more gear to save my programs. Been stuck on the hardware acquisition loop since :P
Love the color that a real life story adds, and yours definitely is colorful. Thanks for sharing.
I moved recently. My hardware acquisition loop still has me in tangles. Where exactly am I going to put this retired enterprise-grade Dell server? Why am doing this to myself? But, wow, it's a thing of beauty.
Reading you, I was debating on loving kick in the rear. Can't really do that these days and some people react negatively to it. Sounds like you are reasonably self-aware though, so...
Nobody can teach you to own and control you. But you had better. Use tricks, treats, magic, whatever, but get to the damned end or make for damned sure you know why you walked away (and live with that).
Your life matters. Your ideas matter. Birth them. It hurts. Push through. Don't look back at your life and wonder what it would have been like if you had stuck with it. It hurts. But do it.
Or do whatever you want, but this random stranger votes "getting over".
The Internet created the backbone that allowed for rapid experimentation in communications technologies, and created the ability for anyone to create and share technologies and reach a huge audience very quickly.
Without the Internet, most consumer electronics would have been far more expensive to build, and would have been strictly controlled walled gardens, but the Internet in general and the Web in particular allowed so many inventors to flourish. Ever since that Genie was let out of the bottle, corporate and government interests have been trying to put it back in, and most companies are trying to build and reinforce walled gardens under the banner of unified app stores that extract insane rents.
Having worked in streaming media and entertainment for the last several years, I am solidly convinced that most of the streaming media services are built by people who essentially turned the tools they built to manage their pirated libraries into a saleable product :P
The healthcare outcomes are absolutely critical in evaluating the use and value of these tools, but there are second and third order effects from using the tools that need to be contextualized with the specific motivations of executives endorsing the tools.
reply